Comment 9 for bug 1873290
Revision history for this message
| Gage Hugo (gagehugo) wrote Re: OAuth1 request token authorize silently ignores roles parameter | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
7020100
(Get the code!)
First impact draft below, please review:
Title: OAuth1 request token authorize silently ignores roles parameter
Reporter: kay
Products: Keystone
Affects: <15.0.1, ==16.0.0
Description:
kay reported a vulnerability in Keystone's OAuth1 Token API. Previously the list of roles provided for an OAuth1 access token were ignored, so when an access token was created, it would contain every role assignment the creator had for the project. This results in an OAuth1 access token having more role assignments than the creator intended, possibly giving unintended escalated access.